Cisco ACS - Limit Network Access Profiles to Active Directory User Group?

I'm currently in the process of migrating from Microsoft IAS to Cisco ACS 4.2. I'm currently running an Eval of CSACS v4.2 for Windows in the Lab until I can work out the issues.

So far I've been fairly successful getting user accounts authenticated with active directory credentials using the "Windows Database" external user database. The only problem I've run into is that I can't seem to figure out how to restrict access based on Active Directory group membership.

For instance, in the lab I have a Cisco 3750 switch using RADIUS authentication tied back to the ACS server to control login access. But given my current ACS configuration everyone in the windows domain can login to the switch. How can I restrict that down to just a specific user group in Active Directory?

Reply to
Loading thread data ...

I am also having the same issue? did you ever find a solution?



Reply to

You can do this via Unknown user group mappings. Assuming you've added Windows Database in your ACS in the unknown user policy, do the following:

- go to external user databases, database group mappings

- select windows database

- select your domain. Add a mapping to map from AD group to ACS group, say "Group A"

- Unmapped groups will by default be mapped to the ACS default group.

- In the ACS default group, in group setup, edit the settings so that in the "Per Group Defined Network Access Restrictions" has the following setting: - denied calling/point of access locations - Add the appropriate AAA client to deny (in ths case your switch)

- In the ACS "Group A" (mapped above), in group setup: - allowed calling/point of access locations - add the AAA client to allow

Reply to
Cen Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.